Notice: Function _load_textdomain_just_in_time was called incorrectly. Translation loading for the copy-the-code domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /var/www/html/pcx3.com/wp-includes/functions.php on line 6121
cPanel information disclosure via env.cgi file - PC✗3
cPanel information disclosure via env.cgi file

cPanel information disclosure via env.cgi file

CGI Environment Variables are used to display information when debugging applications or to pass that information to another script. If you search google for “env.cgi” you will find thousands of files that disclose sensitive information to the public, one example is: http://staff.washington.edu/ken/env.cgi

File /backend/env.cgi is accessible to any logged-in cPanel user and displays information such as cpanel username, password, and cp_security_token.

image 41 - cPanel information disclosure via env.cgi file

It’s a simple file that displays all environment variables:

foreach my $env ( sort keys %ENV ) {
    print "${env} = $ENV{$env}\n";
}

Because the fie is only visible to logged-in users, how can it be misused?

  1. Phishing emails sent to a logged-in cpanel user that will open this file from the user side and send sensitive information to the attacker
  2. Information can be accidentally disclosed when making video tutorials (streaming)

The real question is why this file was put into production on cPanel. Is it a leftover of cPanel developers’ testing, or does it actually serve a purpose? I don’t see anything malfunctioning inside WHM or cPanel after removing the file, thus it appears that is just a leftover file..


UPDATE: I’ve opened a new thread on cpanel.net forums: What’s the purpose of ../backend/env.cgi and hopefully I’ll have more information soon. 🙂

whoami
Stefan Pejcic
Join the discussion

I enjoy constructive responses and professional comments to my posts, and invite anyone to comment or link to my site.